| From the CVE entries:
Cross-site request forgery (CSRF) vulnerability in the forum code in Moodle
1.7 before 1.7.7, 1.8 before 1.8.8, and 1.9 before 1.9.4 allows remote
attackers to delete unauthorized forum posts via a link or IMG tag to
post.php. (CVE-2009-0499)
Cross-site scripting (XSS) vulnerability in course/lib.php in Moodle 1.6
before 1.6.9, 1.7 before 1.7.7, 1.8 before 1.8.8, and 1.9 before 1.9.4
allows remote attackers to inject arbitrary web script or HTML via crafted
log table information that is not properly handled when it is displayed in
a log report. (CVE-2009-0500)
Unspecified vulnerability in the Calendar export feature in Moodle 1.8
before 1.8.8 and 1.9 before 1.9.4 allows attackers to obtain sensitive
information and conduct "brute force attacks on user accounts" via unknown
vectors. (CVE-2009-0501)
Cross-site scripting (XSS) vulnerability in blocks/html/block_html.php in
Snoopy 1.2.3, as used in Moodle 1.6 before 1.6.9, 1.7 before 1.7.7, 1.8
before 1.8.8, and 1.9 before 1.9.4, allows remote attackers to inject
arbitrary web script or HTML via an HTML block, which is not properly
handled when the "Login as" feature is used to visit a MyMoodle or Blog
page. (CVE-2009-0502) | 